Over the years, government operations have changed dramatically, becoming increasingly complex and driven by changes in technology. At the same time, stakeholders expect greater program integrity, efficiency, and transparency in government operations within existing resource constraints.

In response, Federal agencies are implementing enterprise risk management, an approach that brings together risk management, strategic and performance planning, and internal control processes. Implementing enterprise risk management engages an organization across all mission and mission-support functions to improve efficiency, effectiveness, and compliance.

"For the Federal Highway Administration, enterprise risk management is the latest step in the agency's journey of continuous improvement," says Peter Stephanos, FHWA's acting Chief Strategy Officer. "What is new is the integrated approach between strategic planning and review, internal control, and risk management."

Using Risk Management to Focus on Results

Strategic and performance planning gained traction in 1993 after Congress required Federal agencies to focus on performance by developing long-term and annual goals, then measuring and reporting on progress toward those goals. The intent was to shift Federal Government focus from program activities and processes to a focus on desired results.

To achieve successful outcomes and fulfill an organization's mission, policymakers and program managers continually seek ways to improve accountability. A key factor in improving accountability is implementing an effective internal control system. Doing so helps the organization adapt to shifting environments, evolving demands, new priorities, and changing risks by applying risk management techniques.

Risk management has been a part of FHWA's approach to stewardship and oversight for two decades. In 2001, FHWA policy called for each office to conduct risk/benefit assessments to evaluate the implementation of FHWA programs and develop work plans consistent with the results. The policy aimed to enable flexibility for FHWA offices in tailoring a process with their partners. As FHWA and its partner agencies became more familiar with the risk/benefit assessment process, FHWA issued additional guidance on how to manage risk.

Managing Risk in the Recovery Act

FHWA used a risk management approach in the successful delivery of the American Reinvestment and Recovery Act of 2009. In order to deliver projects quickly, the $787 billion Recovery Act released an additional $27.5 billion for highway projects across the Nation. Although the highway portion represented a small part of the total program, it was highly visible. The visibility, rapid influx of dollars, economic environment, and Federal reporting requirements gave rise to a challenging risk environment.

Some of the specific risks included projects administered by local public agencies—some of which were unfamiliar with Federal requirements related to contract administration, environmental compliance, civil rights program requirements, and project reporting. FHWA took a national, strategic approach and responded to these risks by increasing communications, providing additional resources, and conducting onsite reviews of projects to identify and resolve issues. Federal-aid divisions identified risks within each State and tailored their risk response activities to their environment. Division and national engineers and technical specialists worked to identify and effectively address risks to individual projects. The result was that FHWA successfully delivered the Recovery Act projects by addressing risks at multiple levels of the organization.

Risk Management at All Levels

The multilevel approach to the Recovery Act exemplifies how an organization manages risk. Effective organizations manage risk at the enterprise, program, project, and activity levels.

Risks at the enterprise level affect the entire organization. They may be external strategic risks or internal risks that cut across units or multiple programs. Programs comprise the groups of related projects, subsidiary programs, and program activities. Coordinating and managing risk at a program level provides benefits not available from managing these activities individually. Projects comprise temporary endeavors undertaken to produce a unique product, service, or result. Individual projects may have unique risks to their success. Activities involve a coordinated set of ongoing actions taken to support projects or programs. There are risks at the activity level too.

The responsibility for managing risk at each level lies with the managers or leaders responsible for the success of that part of the organization. Enterprise-level risk is managed by the senior executives, program risk by the program managers, project risk by the project managers, and activity risk by those responsible for that activity.

"The process for managing risk is consistent regardless of whether it's being applied at the enterprise, program, project, or activity level," says Brian Bezio, FHWA's Chief Financial Officer.

This consistency in the core process can also be seen in the different standards or guides for risk management—such as ISO 31000:2018, the Project Management Institute's Project Management Body of Knowledge, or OMB Circular No. A-123, "Management's Responsibility for Enterprise Risk Management and Internal Control." The process includes communication and consultation, understanding the risk context, risk assessment (identifying, analyzing, prioritizing), responding to risk, and monitoring the results. An important consideration in applying the risk management process is the organization's attitude toward risk—its risk appetite.

Risk Appetite

Risk appetite is the type and amount of risk, on a broad level, that the agency is willing to accept in pursuit of program objectives. Explicit risk appetite statements aid units in understanding when an organization will and will not accept risk in order to achieve goals and objectives. In addition, risk appetite describes how an organization will respond to risk, including the subsequent actions undertaken as a result.

Risk appetite informs decisionmaking. It represents risk posture at the enterprise level, and the absence of a risk appetite statement does not imply that there are not other risks that the agency also faces. FHWA has developed risk appetite statements with the intention that they will evolve over time in response to changing priorities and internal and external contexts.

FHWA risk appetite statements describe opportunities the agency is willing to pursue to help achieve goals and objectives. Acceptable risk means that the benefits of pursuing certain opportunities outweigh the potential threats. For example, transferring certain responsibilities to recipients when effective controls are in place and pursuing the deployment of innovations could realize long-term benefits to transportation, and those benefits could outweigh the risks. Each statement contains conditions that must be met when taking on these risks.

The FHWA risk appetite statements also describe how the agency will respond to threat risks. These are situations where threats, if realized, could have adverse impacts to public safety, system resiliency, the Federal investment, and FHWA's credibility.

Identifying Program Objectives

Defining objectives at the appropriate level of the organization is an essential component of the enterprise risk management framework. By definition, risk represents the effect of uncertainty on objectives, so risk management cannot be effective if objectives are unclear, undefined, or inconsistently understood. FHWA uses its enterprise risk management to explicitly define objectives for Federal Highway programs.

Program objectives support the achievement of FHWA strategic goals and objectives. They provide a consistent framework for understanding risk and developing activities across the organization. The agency evaluates the risks to achieving its program objectives and prioritizes responses based on risk appetite.

Risk Management at FHWA

FHWA applies the risk management process across the enterprise to develop strategic plans every few years and unit performance plans each year. The agency integrates strategic planning, performance planning, and risk management into the performance planning cycle. The cycle begins with the establishment of program objectives and risk appetite. The FHWA leadership team establishes risk appetite and agency-wide program objectives that align to the strategic objectives.

Program offices assess program areas to evaluate efficiency, effectiveness, and compliance at a national level. These program assessments validate or identify critical activities to be undertaken by the agency. They also identify areas to reduce effort or improve efficiency and use of agency resources. The program offices apply the program and risk assessment process to involve stakeholders, offices, and individuals from across the agency. The program offices, coordinating with the Chief Strategy Officer, bring the results of these assessments to the FHWA leadership team, which then communicates them to the agency as draft activities.

Units provide comments on the draft activities that provide important perspective and are considered in developing a final enterprise performance plan. Units conduct risk assessments to evaluate opportunities and threats to achieving program objectives, assigned critical activities, and available resources. By using the risk management process and applying risk appetite throughout, units identify, evaluate, and prioritize their risks and develop response strategies to address the top risks. The risks identified by FHWA for programs and projects are managed in consultation with State partners within the context of a federally-assisted, State-administered program.

The finalized annual unit performance plans include significant activities for the coming year, critical activities, and responses to top risks. Units implement plans, monitor results, and reassess risks. The program offices and FHWA leadership team monitor and consider performance results and risks, which become part of the organizational context as the cycle repeats.

Framing the Future

The enterprise risk management framework establishes a consistent approach to identify, assess, and prioritize threats and opportunities so that FHWA can decide how to address future issues affecting the Federal-aid and Federal Lands Highway Programs and national objectives. The framework helps to focus limited resources, strengthen the ability to efficiently and effectively manage programs, and communicate consistently about what the agency should focus on and why. Enterprise risk management helps to provide reasonable assurance that FHWA understands the risks associated with achieving objectives and responds appropriately.

"Enterprise risk management is about making risk-based corporate decisions to most effectively and efficiently carry out our programs," says Thomas Everett, FHWA's Executive Director. "Through ERM, we will better understand when we should be involved and when we can reduce effort in our program and project level actions. By considering our appetite for risk and by assessing our programs, we can make these decisions in a more informed manner."

Daniel Fodera is the corporate performance and risk management officer in FHWA's Office of Stewardship, Oversight, and Management. He has held positions in field offices and headquarters. Daniel holds one U.S. patent and is a Certified Enterprise Risk Manager. He holds a master's degree in public administration from the University of Maryland Global Campus (Europe) and a Master Black Belt Certificate in Lean Six Sigma from Villanova University.

For more information, contact Daniel Fodera at 404–562–3672 or daniel.fodera@dot.gov.